Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos ransomware burst onto the scene in late 2019, advertised in various forums and closed channels. Thanos is a RaaS (Ransomware as a Service) which provides buyers and affiliates with a customized tool to build unique payloads.

This tool is far more complex and robust than many previous builder-based ransomware services such as NemeS1S and Project Root. The generated payloads can be configured with numerous features and options. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset.

Initial Feature Set

The original advertised general feature set in November 2019 included:

  • Written in .NET
  • Support for Windows 7 upward
  • Simple and attractive builder interface
  • Automatic updates to the builder tool(s)
  • Strong encryption, via “American Government Encryption standard for communications with a large encryption key.”
  • Unique encryption keys per host
  • Configurable ransom note, and extensions
  • Small client footprint

In those same early posts, the following more “advanced” features were highlighted:

  • Multiple persistence options
  • Client (payload) can be set as a critical payload (resulting in BSOD upon attempts to terminate)
  • Randomized assembly data
  • Anti-VM / VM-evasion
  • Termination of Windows Defender and other AV products
  • 100GB Maximum filesize for encryption, which can be expanded
  • FTP-based logging
  • Mutex-based duplication avoidance
  • Configurable spreading options (network and removable drive attacks)
  • Strong “obfuscation against forensics”
  • Dynamic code generation
  • Polymorphic clients
  • Various compilation platform options

Development with RIPlace

The option to include the RIPlace technique appeared in early January 2020 and was subsequently made available to existing “customers” and “affiliates”.

Between February and June 2020, the following features were added to the toolset:

  • RIPlace
  • Updated FTP-based reporting
  • Built-in Rootkit feature (ransomware is not stealth and invisible to Task Manager during encryption)
  • Tool interface improvements
  • Immortal process support expansion
  • Encryption speed enhancements (advertised to fully encrypt hosts in less than 2 minutes)
  • Rootkit option expanded to support Windows 7, 8, 10 on both x86 and x64 architectures
  • LAN-wide ransom notes can now appear at Windows Login
  • Runtime dyncheck for the ransomware client
  • Support for distinguishing between upper and lower-case file extensions
  • Updated Client expiration options
  • LAN share encryption without having to map drives
  • Updated runtime compilation
  • Routine cloud-based “Refud” (updates to AV evasion)

In April 2020, an option to simply encrypt “All Files” independent of the file extensions was added along with improved network encryption methods.

Rapid Iteration Continues

More notable changes were made to the toolset in May 2020. These updates include:

  • Disabling of 3rd party backup solutions (in addition to AV product termination)
  • Ransomware client now both self-deletes AND overwrites its’ relevant sectors to increase complexity of forensics
  • File-permission changing to capture (exfil) or encrypt more files
  • Users can now be fully locked out of their Windows/Microsoft accounts
  • Bootlocker feature will display the ransom note at boot level (non UEFI / Secure Boot-protected clients)
  • Removal of Windows Defender signature files
  • Safe-mode encryption option
  • Network-adjacent hosts can also be encrypted in safe-mode

Recent updates of the toolset extend into June 2020:

  • Faster and more reliable directory traversal algorithm in the decryption process
  • LAN infection procedure is now Wake-on-LAN aware and capable
  • On-the-fly of newly connected drives. If hosts are actively infected, any connected drive (ex: USB) will be encrypted
  • Encryption routine can impersonate SYSTEM via process hollowing
  • LAN infection using varied/rotating accounts or identities
  • Network encryption via tokens that differ from the current user
  • Expanded support of encryption on Windows Server 2012

The actors behind Thanos are very aware of their “clients” needs and the attention they are getting from the security industry. The most recent update included some level of code rebuilding in order to continue to evade security products that have updated their signatures based on all the recent media attention. That should be a subtle hint to move aware from signature based products if you are still on the fence with that one. This is not unique to Thanos. Malware authors are constantly adjusting payload to avoid signature-based detection.

Encryption Methodology

Thanos’ encryption methodology has varied across the evolution of its payloads. Based on both our own analysis and that of others (Recorded Future), Thanos will employ a random 32-byte long string at runtime as the passphrase for file encryption (AES). The string is subsequently encrypted with the attacker’s public key and added into the generated ransom note(s). As a result, recovery of encrypted data is not possible without the corresponding private key.

Delivery and Behavior

The primary delivery method of Thanos ransomware (observed in-the-wild) is phishing emails. Recent campaigns have used standard financial-based lures in the email message (tax refund details, various invoice schemes, economic stimulus package updates).

Upon launch, the ransomware will, based on the build and configuration, attempt to terminate processes related to a plethora of security products and system utilities. This is done to ensure both proper and thorough encryption, but also to increase the capability of harvesting data and files.

The following commands were pulled from sample:


stop avpsus /y
stop McAfeeDLPAgentService /y
stop mfewc /y
stop BMR Boot Service /y
stop NetBackup BMR MTFTP Service /y
config SQLTELEMETRY start= disabled
config SQLTELEMETRY$ECWDB2 start= disabled
config SQLWriter start= disabled
config SstpSvc start= disabled

Standard tricks to disable and delete Volume Shadow Copies are also taken. These commands can be seen in the same sample:

Delete Shadows /all /quiet
resize shadowstorage /for=c: /on=c: /maxsize=401MB
resize shadowstorage /for=c: /on=c: /maxsize=unbounded
resize shadowstorage /for=d: /on=d: /maxsize=401MB
resize shadowstorage /for=d: /on=d: /maxsize=unbounded
resize shadowstorage /for=e: /on=e: /maxsize=401MB
resize shadowstorage /for=e: /on=e: /maxsize=unbounded
resize shadowstorage /for=f: /on=f: /maxsize=401MB
resize shadowstorage /for=f: /on=f: /maxsize=unbounded
resize shadowstorage /for=g: /on=g: /maxsize=401MB
resize shadowstorage /for=g: /on=g: /maxsize=unbounded
resize shadowstorage /for=h: /on=h: /maxsize=401MB
resize shadowstorage /for=h: /on=h: /maxsize=unbounded

The following suspicious WMI queries are present as well:

start iwbemservices::execquery - select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where ( caption = "mspub.exe")

start iwbemservices::execquery - select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where ( caption = "mydesktopqos.exe")

start iwbemservices::execquery - select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where ( caption = "mydesktopservice.exe")

start iwbemservices::execquery - select caption from win32_operatingsystem


Thanos is another example of just how robust modern ransomware services can be, and how far they have come since the early days of RaaS offerings such as Ransom32 and EncryptorRaaS. With a focus on evasion and active development of features in response to customer needs, Thanos is cementing its position as a primary tool for low-to-mid level criminals looking for an effective, easy-to-use malware tool that will both yield results and allow them to customize for their own specific target groups.